Signal, Proton, Brave, GrapheneOS: The Privacy Stack That Actually Works
Most 'privacy tools' are marketing. These aren't. A breakdown of the tools that actually change the math on who has access to your data — and why the defaults are designed to work against you.
Every default on your phone, laptop, and browser was chosen by a company whose revenue depends on watching you. Google’s $264.6 billion in 2023 ad revenue didn’t come from selling software. It came from selling predictions about your behavior — predictions built on data you never consciously handed over.
The defaults aren’t defaults because they’re the best option. They’re defaults because they’re the most profitable option for someone else.
There’s a different stack. Not theoretical. Not experimental. Tools used by journalists, dissidents, security researchers, and a growing number of ordinary people who looked at the terms of service and decided the deal was bad. Here’s what actually changes when you swap them in — and why the originals were designed the way they were.
Signal
Signal is the only mainstream messaging app where privacy isn’t a feature bolted onto an advertising business. It’s the entire point.
The Signal Protocol — open source, audited, formally verified by cryptographers at Oxford, Queensland University of Technology, and McMaster University — provides end-to-end encryption so that Signal’s own servers can’t read your messages. But encryption is the easy part. Every competitor claims encryption. The difference is metadata.
WhatsApp uses the Signal Protocol for message content. Meta still collects everything around the message: who you talk to, when, how often, how long, your group memberships, your phone number, your contacts list, your device identifiers.
A 2021 ProPublica investigation revealed that WhatsApp employs over 1,000 contract workers in Austin, Dublin, and Singapore who review messages that users report — meaning reported content is decrypted and readable. Meta’s own court filings in the FTC antitrust case confirmed the company uses WhatsApp metadata to improve ad targeting across its platforms.
The encryption protects the words. It doesn’t protect the pattern — and the pattern is what’s worth money.
Telegram is worse. Despite its reputation as a “secure” messenger, Telegram does not enable end-to-end encryption by default. Standard chats use client-server encryption — meaning Telegram’s servers hold the keys and can read every message. Only “Secret Chats” (a buried, opt-in feature that doesn’t work for groups) use end-to-end encryption.
When French authorities arrested founder Pavel Durov in August 2024, the implications were immediate: Telegram stores messages on its servers in a format it can technically access. Durov was indicted on charges including complicity in facilitating criminal activity on the platform — charges that presuppose the ability to moderate, and therefore access, stored content.
iMessage encrypts messages end-to-end between Apple devices. But iCloud backups — enabled by default — store those messages in a format Apple can decrypt with a court order. Apple introduced Advanced Data Protection in late 2022, which extends end-to-end encryption to iCloud backups, but it’s off by default. Most users never enable it.
The FBI’s own internal documents, obtained via FOIA by Rolling Stone in 2024, list iMessage as one of the most accessible messaging platforms for law enforcement when iCloud backup is active. Encrypted by default, accessible by default. A contradiction that works in law enforcement’s favor.
| Signal | Telegram | iMessage | ||
|---|---|---|---|---|
| E2E encrypted | Always | Content only | Opt-in only | Default* |
| Metadata collected | None | Extensive | Everything | Via iCloud |
| Open source | Yes | No | Partial | No |
| Ad-funded | No | Meta | Ads launched | No |
Signal collects almost nothing. Their response to a grand jury subpoena in 2021 — published on their blog with the court documents — showed the only data they could provide: the date the account was created and the date it last connected.
No contacts. No groups. No message history. No metadata. That’s not a privacy policy promise. That’s a technical architecture. They don’t have it because they never collected it.
Email: Proton vs. Gmail
Google processes every email that touches Gmail. Their own terms grant them the right to “scan, index, and analyze” your content for advertising and product improvement. They stopped using email content for ad personalization in 2017 — after public backlash — but still scan for “smart features,” still build profiles from email metadata, and still hold all content in plaintext on their servers.
Accessible to Google employees with the right clearance. Accessible to law enforcement with a warrant. 1.8 billion users. All readable.
ProtonMail uses zero-access encryption. Emails at rest on Proton’s servers are encrypted with keys derived from your password — which Proton never sees. Even if compelled by Swiss law enforcement (their jurisdiction), Proton can’t hand over email content because they can’t decrypt it.
Founded at CERN in 2014 by scientists who’d worked on the Large Hadron Collider, Proton now has over 100 million users. Swiss privacy law — specifically the Federal Act on Data Protection — provides a legal framework that doesn’t recognize foreign subpoenas. The combination of zero-access encryption and Swiss jurisdiction isn’t a marketing claim. It’s a structural barrier.
Worth noting: Proton has complied with Swiss legal orders to provide IP addresses in specific criminal cases. They’re transparent about this — it’s documented in their transparency reports. The distinction is that email content remains encrypted and inaccessible, even to Proton. If IP privacy matters to your threat model, route through Tor or a VPN. The point is that Proton is honest about what they can and can’t protect, which is more than most services offer.
Browser and Search
Chrome is a Google product. It sends browsing data to Google servers, syncs with your Google account, and operates as the front door to Google’s tracking ecosystem. The browser is the surveillance tool.
Third-party cookies are only part of it. Chrome’s Topics API — its replacement for cookies — still profiles your browsing interests and shares them with advertisers. Google controls the browser, the search engine, the ad network, and the analytics platform embedded on 85% of websites. The vertical integration is complete.
Brave is built on Chromium — the same open-source engine Chrome uses — so every website works identically. But Brave strips Google’s tracking code, blocks ads and trackers by default (no extensions needed), and includes built-in Tor integration for anonymous browsing.
Firefox is also legitimate. Mozilla’s revenue model has its own complications — they receive roughly $450 million annually from Google for default search placement — but the browser itself is open source and privacy-configurable. It’s not Chromium-based, which means it’s not feeding Google’s engine monopoly. Both are real options. The important thing is leaving Chrome.
For search: Google Search is the core of the surveillance apparatus. Every query tied to your profile, used to refine the behavioral model that drives their ad business.
DuckDuckGo doesn’t track searches, doesn’t build profiles, doesn’t personalize results. Startpage proxies Google’s results without Google’s tracking — you get Google’s index without Google watching. Neither is perfect, but both break the feedback loop where your searches refine the profile that targets you.
GrapheneOS
This is the most consequential swap on the list.
Stock Android phones contact Google approximately 340 times per day at idle — transmitting IMEI numbers, hardware serial numbers, location-adjacent data, and device identifiers. You can’t uninstall Google Play Services. It has system-level privileges. It runs at boot. The opt-out toggles, as Professor Douglas Leith demonstrated at Trinity College Dublin, don’t meaningfully reduce data transmission.
The architecture is built for collection. The toggles are cosmetic.
GrapheneOS is a hardened Android fork that removes Google’s surveillance infrastructure entirely. No Play Services. No background telemetry. Zero pings to Mountain View. But the engineering goes deeper than just removal.
Verified boot ensures the operating system hasn’t been tampered with — every component is cryptographically signed and checked at startup. Stock Android has verified boot too, but it’s verifying Google’s software. GrapheneOS verifies its own chain of trust — one that doesn’t include Google’s telemetry infrastructure.
Sandboxed Google Play is the critical innovation. If you need Google apps — banking apps, rideshare, whatever still requires Play Services — GrapheneOS lets you install them as regular sandboxed apps with no special privileges. They function normally. They can’t access system-level data. Google Play runs in a cage instead of running the zoo.
No other Android fork has solved this problem as cleanly. LineageOS, CalyxOS, /e/OS — most force you to choose between Google app compatibility and privacy. GrapheneOS eliminated that tradeoff. You get both. The apps work. Google doesn’t get root.
Per-connection MAC randomization generates a new hardware identifier for every network connection — not just every network, every connection — making device tracking across Wi-Fi networks effectively impossible.
Duress PIN lets you set a secondary unlock code that triggers a factory reset, designed for situations where someone compels you to unlock your device.
Storage scopes restrict app access to only the files you explicitly grant, rather than the broad storage permissions stock Android hands out.
The project is maintained by Daniel Micay and a team of security engineers, funded entirely by donations and foundation grants. No corporate parent. No advertising model. No incentive to compromise. The security audit record is public. The code is auditable. The attack surface is smaller than stock Android by design — because every line of Google’s telemetry code that got removed is a line that can’t be exploited.
VPN: A Quick Note
ProtonVPN offers a free tier — unlimited bandwidth, no ads, no logs. Swiss jurisdiction. Their no-log policy has been audited by Securitum (2022) and confirmed in a legal case where Swiss authorities requested user data and Proton had nothing to hand over.
Most commercial VPNs claiming “no logs” have never been independently verified — and several have been caught lying. HideMyAss provided logs to the FBI in the LulzSec investigation. PureVPN handed IP logs to the FBI in a 2017 cyberstalking case despite advertising a strict no-log policy. IPVanish did the same in a 2016 Homeland Security investigation.
The marketing said one thing. The subpoena response said another. If you’re going to route your traffic through someone else’s servers, make sure the claim has been tested under pressure.
All of this is the software side. Signal on a phone that still pings Google 340 times a day. ProtonMail on a laptop with a browser shipping data to Mountain View. The tools matter — but they’re running on hardware configured against you.
The hardware side closes the remaining gaps. A phone running GrapheneOS out of the box — no Google, no telemetry, no configuration required. A hardware security key that makes credential theft physically impossible — included in the starter kit alongside the tools that lock down the rest of the stack.
The software is free. The knowledge is public. The part most people never get to is the foundation underneath.